skip to Main Content

I have a Chrome extension. On one of the extension pages I want to open an iframe where the source is not from the same source but from the extension page.
I keep getting this error:

Refused to display ‘https://example.com/’ in a frame because it set X-Frame-Options to sameorigin.

I understand why it is happening but when searching for a fix I run into an endless maze of "host-permissions", "permissions", "content-security-policy" on the manifest page.
Which one am I supposed to use to fix this?
I also cant figure out if I should be putting this block of code on my extensions js page or not?

const iframeHosts = [
  'example.com',
];
chrome.runtime.onInstalled.addListener(() => {
  const RULE = {
    id: 1,
    condition: {
      initiatorDomains: [chrome.runtime.id],
      requestDomains: iframeHosts,
      resourceTypes: ['sub_frame'],
    },
    action: {
      type: 'modifyHeaders',
      responseHeaders: [
        {header: 'X-Frame-Options', operation: 'remove'},
        {header: 'Frame-Options', operation: 'remove'},
        // Uncomment the following line to suppress `frame-ancestors` error
        // {header: 'Content-Security-Policy', operation: 'remove'},
      ],
    },
  };
chrome.declarativeNetRequest.updateDynamicRules({
    removeRuleIds: [RULE.id],
    addRules: [RULE],
 });
});

It was the second post on this question. Getting around X-Frame-Options DENY in a Chrome extension?
I am using and require a manifest version 3 solution.

2

Answers


  1. Chosen as BEST ANSWER

    I found a solution to this, finally. In the manifest, or the manifest.json if you want to be specific.

    "declarative_net_request" : {
    "rule_resources" : [{
      "id": "removeHeader",
      "enabled": true,
      "path": "remove-headers.json"
    }]
    

    }

    Next a new file was needed called remove-headers.json

    [
    {
        "id": 1,
        "priority": 1,
        "action": {
            "type": "modifyHeaders",
            "responseHeaders": [
                { "header": "x-frame-options", "operation": "remove" },
                { "header": "content-security-policy", "operation": "remove"},
                { "header": "referrer-policy", "operation": "remove"}
            ]
         },
        "condition": { "urlFilter": "https*", "resourceTypes": 
        ["main_frame","sub_frame"] }
    }
    ]
    

    This was issue had much more clarity after reading this github page. https://github.com/MartinWie/Framer/tree/main


  2. You can remove undesirable headers as they arrive with a function like the one below:

    In background.js

    chrome.webRequest.onHeadersReceived.addListener(function(info){
    
     var H=info.responseHeaders, N=''; // V='';
    
      for(let i=H.length-1; i>=0; i--){N=H[i].name.toLowerCase(); // V=H[i].value.toLowerCase();
    
       if((N.includes('x-frame-options'))||(N.includes('x-xss-protection'))||(N.includes('content-security-policy'))||(N.includes('report-'))){
    
        H.splice(i,1); 
    
    }} return {responseHeaders:H};},{urls:['<all_urls>'],types:['main_frame','sub_frame']},['blocking','responseHeaders','extraHeaders']);
    

    In manifest.json (version 2) you’ll also need this entry if not already there…

     "background": {"scripts": ["background.js"],.....  },
    

    NB: I get rid of a couple more headers other than X-Frame-Options so do check the script and remove what you don’t want.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search